Back to main menu


California Consumer Privacy Act (CCPA): Why should you care?

The CCPA is the most comprehensive data regulation in the U.S., and while it may not affect you now, it may indicate what future federal data laws might look like.



There’s been an ongoing gold rush, not for precious metals, but for personal consumer data. For a while, this highly valuable resources was up-for-grabs with minimal or non-existent consumer protections. But it’s no longer the wild west, and the era of free range data in the U.S. has ended with California being the first state to get a proper handle on data privacy legislation.

While we wait for federal data policies to be passed, the California Consumer Privacy Act (CCPA) has become the gold standard this side of the Atlantic, following in the footsteps of Europe’s GDPR. In this post, we'll tell you all you need to know about the CCPA, what it means for senders, for businesses, and how to comply with it.

What is the CCPA?

Just another piece of legislation? Time will tell...

The California Consumer Privacy Act (CCPA) is legislation that protects the data rights of California residents. It holds for-profit businesses that collect consumer data to strict data standards, regardless of where the organization is based. That means that any company dealing with personal data belonging to California residents must comply with CCPA.

Spoiler alert (maybe), there is some speculation that the CCPA is the first move indicating California is moving toward a model where consumers are paid directly for their data.

What is the history of the CCPA?

The CCPA was passed and signed by Gov. Brown on June 28, 2018. It became effective on January 1, 2020 and was dependent on the withdrawal of the previous Consumer Right to Privacy Act (initiative 17-0093).

The CCPA gives consumers more control over their personal data, and it continues to evolve.

In November of 2022, California voted to approve Proposition 24 (a.k.a. the California Privacy Rights Act or CRPA), which will amend the CCPA with additional privacy protections that go into effect on January 1, 2023.

That’s a lot of acronyms. Here’s a quick snapshot of what to expect under the pending CRPA:

  • Residents will gain the right to correct inaccurate personal information that a business has collected on them.

  • Residents will have the right to limit the use and disclosure of sensitive personal information collected about them.

We don’t have all the details on the CPRA yet but stay tuned to our blog for of-the-moment updates as legislation evolves.

Whose data rights are covered under the CCPA?

Good question.

Personal data rights are only protected under the CCPA if you are a resident of California.

What counts as PPI under CCPA?

CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and does not include publicly available information.

Personal identifiable information (PII) covers a few categories. From identifying data like your name, email, IP address, and social security number, to biometric information, geolocation data, and your browser history.

Here’s a summary of what counts —and doesn’t count— as PPI in California:

Coun­ts as PPI

Coun­ts as PPI

Di­rect iden­tifiers

Your­ name­, bank­ or cred­it card­ deta­ils, home­ and emai­l addr­esses, phon­e numb­er, etc.­

In­direct iden­tifiers

Uniq­ue iden­tifiers like­ your­ user­names, acco­unt name­s, IP addr­esses, or reco­rds that­ hold­ indi­rect iden­tifiers like­ invo­ice or tick­et numb­ers.

In­ternet data­

Cook­ie pref­erences, brow­sing hist­ory, web anal­ytics, sear­ch hist­ory, and app acti­vity.

Ge­olocation data­

Mobi­le devi­ce loca­tion hist­ory, geol­ocation link­ed to app acti­vity, geot­ags on phot­os and vide­os, imag­es that­ show­ iden­tifiable land­marks or loca­tion name­s.

Pr­otected clas­s data­

Your­ race­, gend­er, sexu­al orie­ntation, nati­onality, age,­ citi­zenship stat­us, or disa­bility stat­us.

Ed­ucational data­

Inst­itutes and year­s atte­nded, grad­es, gran­ts, and scho­larships.

In­ferred data­

Conc­erns data­ from­ prof­iles buil­t abou­t you thro­ugh an orga­nization’s anal­ytics, your­ pref­erences, char­acteristics, psyc­hological pred­ispositions, atti­tudes, and soci­al and poli­tical pref­erences.

Co­mmercial data­

Prop­erty reco­rds, purc­hase invo­ices, mark­eting reco­rds, pre-­sales quer­ies.

Does­n’t coun­t as PPI - Thes­e are the exce­ptions:

Does­n’t coun­t as PPI - Thes­e are the exce­ptions:

Da­ta and cons­ent

When­ the user­ (per­son iden­tified in the data­) cons­ents to the orga­nization sell­ing thei­r info­rmation to a thir­d part­y.

Ps­eudonymized data­

Orga­nizations are perm­itted to sell­ user­ data­ that­ has been­ mask­ed, hidd­en, or scra­mbled in some­ way to prot­ect pers­onal deta­ils.

Pu­blicly avai­lable data­

Data­ that­ is publ­ic reco­rd like­ list­ed numb­ers or publ­ic prop­erty reco­rds does­ not coun­t unde­r PPI.­

What rights do California residents have under CCPA?

The main consumer rights granted to California residents under CCPA are five: the right to access, the right to know, the right to delete, the right to opt in and opt-out, and to non-discrimination.

These are its privileges:

  • The right to know: California residents have a right to know what data is being collected about them. Under the CCPA, business can collect any information that identifies or relates to you or your household. Information that is a matter of public record, like property records and public education records are not protected data. CA residents can also request (up to twice per year) their personal data that the business sells or discloses to third parties.

  • The right to access: The CCPA requires a business to respond to an access request by disclosing all information that it has collected about a consumer in the previous 12 months. The CCPA allows very few exceptions to a business’s obligation to provide access to information.

  • The right to delete: Californian residents can request that their PPI is deleted, not just from the company’s databases but from their service providers. An exception to this rule would be any data that the company is otherwise legally required to keep.

  • The right to opt-out: This doesn’t opt you out of data collection but prevents the company from selling your information to third parties. Additionally, it forces the company to wait at least 12 months before asking you to opt back in.

  • The right to non-discrimination: Discrimination laws protect CA residents who have exercised their rights under the CCPA. Companies cannot interrupt or affect your service based on how you decide to manage your data.

How is CCPA different from GDPR?

There is a lot of comparison going around between the EUs General Data Protection Regulation (GDPR) and the CCPA. The good news? If you’re already GDPR compliant, CCPA compliance is only a small step away.




May 25, 2018­

Janu­ary 1, 2020­



Glob­al busi­nesses that­ proc­ess pers­onal data­ of EU citi­zens incl­uding nonp­rofits that­ acce­pt dona­tions from­ EU citi­zens.

Busi­nesses oper­ating in CA that­ have­ reve­nue of $25M­ or more­, or proc­ess data­ on 50,0­00 resi­dents or more­.



EU citi­zens

Only­ resi­dents of CA


€20M­ or 4% of annu­al glob­al turn­over (whi­chever is grea­ter).

$100­-$750 per cons­umer per inci­dent. $240­0-$7500 per civi­l viol­ation.

Righ­t to know­

EU citi­zens have­ the righ­t to know­ the purp­ose for proc­essing thei­r data­ (at the time­ of coll­ection), deta­ils of the data­ cont­roller, who is rece­iving the data­, and how long­ thei­r info­rmation is reta­ined.

CA resi­dents must­ be info­rmed abou­t the reas­on for data­ coll­ection at­ the poin­t of coll­ection. They­ have­ the righ­t to requ­est a copy­ of the data­ coll­ected on them­.

Righ­t to dele­te

Cove­rs all data­ that­ conc­erns a citi­zen rega­rdless of data­ orig­in.

Cove­rs data­ coll­ected from­ the CA resi­dent only­.

Righ­t to opt out

No righ­t to opt out

Resi­dents can opt out of data­ coll­ection, and requ­est thei­r data­ not be sold­. Addi­tional prot­ections are in plac­e to prev­ent disc­rimination if a resi­dent opts­ out.­

Data­ brea­ches

Comp­anies acti­ng as data­ cont­rollers must­ repo­rt a data­ brea­ch with­in 72 hour­s to the data­ prot­ection auth­ority.

Businesses are not requ­ired to report data brea­ches under the CCPA as they are alre­ady obligated under California law.

What are some of the criticisms of the CCPA?

You know what they say... You can’t please everyone.

We compare data to gold and oil, natural resources that fuel our progress, but data is different. It’s the most influential resource we have, and the most revealing. Data reveals behaviors and personal information of the human population – making it equal parts natural resource and personal property.

As data regulations become more consumer focused, some primary concerns unfold. An increased requirement for opt-outs, unsubscribes, and disclaimers makes it challenging — and expensive — for businesses to restructure their data processes to scale with these regulations.

The other main concern relates to designation and translating terms for clients. More restrictions on distinctions about which types of businesses are considered service providers, and the need for longer privacy policies and terms, make the legal side of operations much more demanding.

The CCPA is not stagnant. In California, data laws are about to change again with the introduction of CPRA, which will extend data protection for California residents even further, probably resulting in additional criticism from business throughout the country.

There have also been calls for a federal or nation-wide applicable law, since the CCPA is related to California residents only, making some businesses question whether or not they must comply.

What does the CCPA mean for businesses?

The CCPA only applies to for-profit businesses that do business in California and meet certain conditions. Non-profits and government agencies are exempt. These are the parameters:

  • Businesses with a gross ARR of $25M and above.

  • Businesses that buy, receive, or sell personal information of 50,000 or more CA residents.

  • Businesses that derive 50% or more ARR from selling CA resident’s personal information.

Managing data expectations

Strict data laws mean lots of opportunities for users to make requests based on their rights. That can mean an increase in workload for support teams, not to mention potential hefty fines. There are some best practices to counteract this: double opt-ins, clear unsubscribe links, and notices of data collection processes.

What does the CCPA mean for data processors like Mailgun?

As a business that does business with California residents and CA-based companies, the CCPA affects us, our clients and their businesses – and other businesses like us – under the same terms outlined above.

Beyond being an issue of data compliance, legislations like the CCPA and the GDPR are created to make users feel safer about their data on the internet. Email plays a big role in online marketing and communications, and Sinch Mailgun is invested in treating data as a respected, personal asset. Mailgun has and will continue to respect our customers’ privacy and will make sure to abide by all applicable laws and regulations.

The future of data

The CCPA isn’t a federal law, but according to Cisco’s Consumer Privacy Survey, 89% of people say they care about data privacy and want more control. Compliance standards are always evolving and individual states rolling out their own privacy laws could indicate that federal data laws are not far behind. At Mailgun, we’re evolving right along with them.


We’re keeping our eyes on the American Data Privacy Protection Act (ADPPA) for one. This bipartisan U.S. legislations isn’t federal law yet, but if enacted it would standardize how the U.S. manages and processes data both Nationally and across different industries and would open the door wider for future global data policies.


For recent progress on a data protection standpoint, an Executive Order was signed by President Biden in early October implementing the European Union-U.S. Data Privacy Framework, which takes us closer to cross border data transfer protections.

Mailgun’s ongoing commitment

Our dedication to user data protection is a big part of our personality. And we’re pretty passionate about delving into the details. Learn more about how we approach and value your security with our in-depth breakdown of email security and compliance.

Learn about email security and compliance

Email security and compliance

Email security isn't easy. But you need to protect your business, brand, employees, and subscribers. Find out about the benefits of continually improving email security and compliance from our industry experts. It's yours to explore. No form filling required.

Disclaimer: U.S. data protection laws, including the CCPA, are complex. This blog post shouldn’t be considered legal advice. Please consult a legal professional for details on how the CCPA impacts your specific business case.

Related readings

The basics of SPF records

SPF doesn’t refer to how long you can wait before you have to reapply your sunblock (seriously, go get some). Instead, the term “SPF” refers to a security measure that helps...

Read more

Navigating global data compliance and regulations in 2024

Protection from loss, theft, and corruption – these are the goals of data privacy regulations. Adhering to these regulations makes you a trusted sender but it takes...

Read more

Why improving email security helps protect the global economy

The economy is a complex, interconnected system with many moving parts. In the current global economic climate, it feels a little like we’re being tossed around in an unpredictable...

Read more

Popular posts

Email inbox.

Build Laravel 10 email authentication with Mailgun and Digital Ocean

When it was first released, Laravel version 5.7 added a new capability to verify user’s emails. If you’ve ever run php artisan make:auth within a Laravel app you’ll know the...

Read more

Mailgun statistics.

Sending email using the Mailgun PHP API

It’s been a while since the Mailgun PHP SDK came around, and we’ve seen lots of changes: new functionalities, new integrations built on top, new API endpoints…yet the core of PHP...

Read more

Statistics on deliverability.

Here’s everything you need to know about DNS blocklists

The word “blocklist” can almost seem like something out of a movie – a little dramatic, silly, and a little unreal. Unfortunately, in the real world, blocklists are definitely something you...

Read more

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon